The SCO OpenServer(TM) Maintenance Pack 3
contains important fixes for your SCO OpenServer Release 5.0.7 system
and should be applied at your next maintenance period.

NOTE:
This is the second SCO OpenServer Release 5.0.7 Maintenance Pack. To preserve a
numerical correlation with Update Pack 3, this Maintenance Pack is
named MP3. There is no Maintenance Pack 2.

These Release and Installation Notes
contain critical information that you need to know
before and after installing SCO OpenServer Release 5.0.7 Maintenance Pack 3.
Please familiarize yourself with the information that is
relevant to your system, then install the Maintenance Pack
according to the instructions in this document.

NOTE:
Unless otherwise noted, this document supplements
the SCO OpenServer Release 5.0.7 Late News, which are still relevant.
As information becomes available
after the publication of these
Release and Installation Notes,
it is added to the SCO OpenServer Release 5.0.7 Late News document,
available from the SCO web site at:

About Maintenance Packs and Update Packs

There are two support ``tracks'' that are
available to SCO OpenServer Release 5.0.7 customers:

Maintenance Packs

A Maintenance Pack (MP) is a collection of
security updates and fixes for reported problems.
Maintenance Packs are made available periodically
and can be downloaded and installed free-of-charge.
Maintenance Packs are cumulative, so only the latest
one needs to be installed.

Update Packs

An Update Pack (UP) is a collection of
some of the new features and product enhancements
that will be included in the next SCO OpenServer release.
Available only for registered subscribers
to the SCO Update Service,
Update Packs provide a simplified and streamlined
process for deploying new technology and
keeping systems updated.

Update Packs supplement the Maintenance Packs.
Each Update pack requires the installation of
a corresponding Maintenance Pack.
Update Packs are cumulative, so you only need to
install the latest Maintenance Pack plus the latest
Update Pack to bring the system up to date with
the latest features and enhancements.

Obtaining Maintenance Packs

If your SCO OpenServer media kit contains the
SCO OpenServer SCO OpenServer Release 5.0.7 Supplement CD,
you can install the MP from the CD.
You should check the SCO OpenServer Release 5.0.7 Supplements web page,
however, to verify that the Supplement CD
contains the most current Maintenance Pack available.

Before installing the Maintenance Pack

Back up the data on your system and verify the
integrity of the backup.

The RS507B Release Supplement
(a component of the Maintenance Pack)
is a critical requirement for the other components in
the Maintenance Pack to function correctly.

Maintenance Pack 3 can only be installed on SCO OpenServer Release 5.0.7 systems.

Maintenance Pack 3 supersedes the following Supplements:

SLS OSS631 -- Supplemental Graphics, Web, and X11 Libraries

SLS OSS646 -- Execution Environment Supplement

SLS OSS656 -- Licensing Update

SLS OSS662 -- MP1 Supplement

Large Filesystem Performance Supplement (lpfs)

wd Driver Supplement

NOTE:Do not install any of these supplements on your system
after you have installed this Maintenance Pack.

Before installing the Maintenance Pack,
you should remove OSS646A/OSS646B
and OSS656A/OSS656B. It is not necessary to
first remove any of the OSS631 supplements.

When you remove the recommended supplements, you do
not need to reboot the system after the kernel is
re-linked. The Maintenance Pack installation
also re-links the kernel -- you can reboot at that point.

The "Supplemental Graphics, Web, and X11 Libraries" package
(gwxlibs) should always be installed.
Several packages (such as ssh and Apache) depend on these libraries
and will fail with dynamic linker errors if they are not present.

Installing the Maintenance Pack using SCO Update

SCO Update
allows you to install Maintenance and Update Packs directly over the Internet.
This approach saves you the time -- and extra hard disk space --
of first downloading installable image files from the SCO
web or FTP sites.

NOTE:
Maintenance Pack 1 added support for SCO Update to
the Software Manager. If MP1 was
never installed on your system,
SCO Update will not be available from within the
Software Manager until after you install MP3.

To use SCO Update:

Log in as root.

Start the Software Manager by double-clicking
on its icon on the desktop, or by entering the
following at the command-line prompt:

scoadmin software

From the Software menu, select SCO Update.
The system connects to the SCO Update server.

The Install Selection window displays
all of the SCO OpenServer Release 5.0.7 update packs, maintenance packs,
drivers, and so forth that are currently available.

Highlight "Maintenance Pack 3" and click on Install.

The selected software is automatically downloaded
and installed on your system.

WARNING:
The Software Manager
displays one or more warnings if the Maintenance
Pack contains fixes
for software features that are not currently installed on your system. If you
do not plan to install the affected package (for example: SMP),
you can ignore such messages and click on Continue. However,
if you do plan to install this package later, you should stop
the install process, install the package in question from the installation
media, and restart the Maintenance Pack installation.
This ensures the fixes are applied properly (and avoids potential problems).

If any Maintenance Pack fixes were not installed because the
corresponding feature was not present, the Software Manager
shows the Maintenance Pack as only partially installed. This is normal.

When the installation is complete, click on OK.

Exit the Software Manager by selecting the
Host menu, then Exit.

Reboot the machine. (Because the Software Manager
relinks the kernel,
you must reboot before the new kernel takes effect.)

We recommend that you use SCO Update periodically to
check for new updates, fixes, or drivers for SCO OpenServer Release 5.0.7.

NOTE:
Maintenance Pack 3 consists of a tar archive containing a number
of media image files with names of the form
VOL.000.000, VOL.000.001,
and so forth. (You also have the option of downloading the individual
VOL files.) Because all update and maintenance packs use this
same filename scheme, you should create a master directory with a
unique subdirectory to store each pack. The master directory could be
/usr/updates,
/usr/spool/patches,
or whatever suits your system layout. The master hierarchy
should be writable by root only.

If you download the individual files rather than the tar archive,
please be sure to carefully verify that all of the
sequentially-numbered VOL files are present in your download
directory before proceeding.

Download the 507mp3_vol.tar file
and use this command
to extract the media image files:

tar xvf 507mp3_vol.tar

Start the Software Manager by double-clicking on its
icon on the desktop, or by entering the following at the
command-line prompt:

scoadmin software

From the Software menu, select Install New.

When prompted for the host (machine),
select the current host and then click on Continue.

Select Media Images as the Media Device,
then click on Continue. (You may need to scroll down
before you see the Media Images option.)

Enter the absolute pathname for the directory
that contains the Maintenance Pack 3 media images.
For example:

/usr/spool/patches/507mp3

Click on OK.

In the Install Selection window,
make sure that the Maintenance Pack is highlighted,
then click on Install.

NOTE:
Any component of the Maintenance Pack that updates existing
software (such as the RS507B Release Supplement)
must be installed.
New features such as cdrtools are optional.

If you previously installed any of the components that
are modified by the Maintenance Pack,
you are notified that these components will be upgraded.
Click on Continue.

Additionally, you are warned if certain packages
in the Maintenance Pack will not be installed
because the software they modify is not installed
on your system. Click on Continue.

WARNING:
The Software Manager displays one or more
warnings if the Maintenance Pack contains fixes
for software features that are not currently installed on your system. If you
do not plan to install the affected package (for example: SMP),
you can ignore such messages and click on Continue. However,
if you do plan to install this package later, you should stop
the install process, install the package in question from the installation
media, and restart the Maintenance Pack installation.
This ensures the fixes are applied properly (and avoids potential problems).

If any Maintenance Pack fixes were not installed because the
corresponding feature was not present, the Software Manager
shows the Maintenance Pack as only partially installed. This is normal.

When the installation is complete,
click on OK.
The Software Manager lists Maintenance Pack 3
among the installed software.

Exit the Software Manager
by selecting the Host menu,
then Exit.

Reboot the machine. (Because the Software Manager
relinks the kernel,
you must reboot before the new kernel takes effect.)

Installing the Maintenance Pack from CD-ROM

Insert the SCO OpenServer Release 5.0.7 Supplement CD Version 3
into the drive.

Start the Software Manager by double-clicking on its
icon on the desktop, or by entering the following at the
command-line prompt:

scoadmin software

From the Software menu, select Install New.

When prompted for the host (machine),
select the current host and then click on Continue.

Select the appropriate CD-ROM drive
as the Media Device, then
click on Continue.

In the Install Selection window,
make sure that the Maintenance Pack is highlighted,
then click on Install.

NOTE:
Any component of the Maintenance Pack that updates existing
software (such as the RS507B Release Supplement)
must be installed.
New features such as cdrtools are optional.

If you previously installed any of the components that
are modified by the Maintenance Pack,
you are notified that these components will be upgraded.
Click on Continue.

WARNING:
The Software Manager displays one or more
warnings if the Maintenance Pack contains fixes
for software features that are not currently installed on your system. If you
do not plan to install the affected package (for example: SMP),
you can ignore such messages and click on Continue. However,
if you do plan to install this package later, you should stop
the install process, install the package in question from the installation
media, and restart the Maintenance Pack installation.
This ensures the fixes are applied properly (and avoids potential problems).

If any Maintenance Pack fixes were not installed because the
corresponding feature was not present, the Software Manager
shows the Maintenance Pack as only partially installed. This is normal.

When the installation is complete,
click on OK.
The Software Manager lists Maintenance Pack 3
among the installed software.

Exit the Software Manager
by selecting the Host menu,
then Exit.

Reboot the machine. (Because the Software Manager
relinks the kernel,
you must reboot before the new kernel takes effect.)

Installing the Maintenance Pack across the network

You can install SCO OpenServer Release 5.0.7 Maintenance Pack 3
from one SCO OpenServer Release 5.0.7 system onto
another across a TCP/IP network. To do so, you need a software server,
which you can create as described in
"Installing and managing software over the network"
in the SCO OpenServer Networking Guide.
This server has a user account called swadmin.

Install or load Maintenance Pack 3 on the software server
using one of the installation procedures described in
``Maintenance Pack Installation''.
Also see
"Installing and managing software components"
in the SCO OpenServer Handbook
for more information on loading software.

To install Maintenance Pack 3 onto a local machine
once the Maintenance Pack is available from the software server,
start the Software Manager and select Install New.
In the Begin Installation window,
you are prompted for the source location
of the Maintenance Pack. Select From Another Host.
You need to provide the name of the software
server, as well as the password of the swadmin
user on the software server.

Removing a Maintenance Pack

WARNING:
Because of interdependencies between the components
that are included in Maintenance Packs,
partial removal of an MP is not supported.

Removing Maintenance Pack 3 de-installs the
Apache Web Server, Perl, and Supplemental
Graphics, Web, and X11 Libraries components.
When these components are removed, many system
functions will cease to work, including
Squid, Samba, and the GNU Development Tools
(if installed).

After removing the Maintenance Pack, it is
imperative that you reinstall the Apache Web Server,
Perl, and Supplemental Graphics, Web, and X11 Libraries
components from your SCO OpenServer Release 5.0.7 System CD-ROM.
This section explains how to do this.

NOTE:
Drivers for new hardware have been moved out of the Maintenance
Pack and are available on the Supplement CD.

Support for IDE hard disks larger than 137GB

Previously, this feature was part of the Update Packs; it
is now included in Maintenance Pack 3.

Maintenance Pack 3 includes a new revision of the
wd(HW)
driver that supports IDE hard disks
larger than 137GB.

NOTE:
If you have a new IDE hard disk that is larger
than 137GB that you want to add to your system,
you should do so after you have installed
the Maintenance Pack and the new wd driver.
If you want to use the disk as your root drive, you
need to load the new driver at boot time (using the
link(HW)
bootstring) before beginning the installation.

If your system currently uses an IDE drive
larger than 137GB, the new wd
driver makes it possible to use the full capacity
of the disk. To use the entire disk, however,
you must manually reconfigure the drive to
recreate the existing disk partitions or to create new ones.
The wd driver readme explains
this process in detail.

Instructions for installing the wd driver are
provided on the SCO web site at:

or the SCO OpenServer Release 5.0.7 Supplement CD Version 3.
We strongly recommend that you review these
instructions before using the new features of the driver.

CD writer support: cdrtools

The cdrtools package (ver 2.01a27) is now included and
officially supported in SCO OpenServer Release 5.0.7.
It is a set of programs for creating CD images
(mkisofs) and writing data to recordable/rewritable CDs
(cdrecord).

NOTE:cdrecord(1)
supports many options
and formats that are beyond the scope of basic file archiving.
This section documents the most common tasks for creating
data CDs
and includes information specific to SCO OpenServer Release 5.0.7.

Tested hardware

The following drives have been tested on SCO OpenServer Release 5.0.7:

The default entry is ide (as defined by CDR_DEVICE).
Because a generic SCSI driver is used for all
CD drives, the SCSI address
scheme (host adapter, device, LUN) is used even with
IDE controllers. At the same time, this scheme only
applies to IDE controllers with CD
drives (that is, the numbering of host adapters is not absolute.) For
example, on a system with no SCSI adapters and two IDE
controllers, the controller with the CD
drive attached is host adapter 0 (even if it happens to be the
secondary IDE controller).

NOTE:
On the command line, the LUN (0) can be omitted (as it is
in the examples discussed here).

Note the default addresses for other drives
are not realistic; be sure and change the device address in second column
to match the actual drive settings. The other columns (speed, buffer size,
and driver options) can be set as desired. A value of -1
indicates that the device uses its own default value.
The quotes in the column indicate an empty option list; burnfree
allocates a larger buffer for write operations (if supported by the drive).
Other options are documented in
cdrecord(1).

Creating a data disc

Before using cdrecord to make a data disc
you must first create an ISO image
with mkisofs. This sample command creates an
ISO9660 image of the working directory (.)
with Joliet (-J) and RockRidge (-r) directory entries
and stores it in the file /tmp/cdimg.iso:

mkisofs -r -J -o /tmp/cdimg.iso .

To write this image to a disc, you would use a command like this:

cdrecord -v -eject dev=0,0 /tmp/cdimg.iso

The -v is optional and generates verbose output.
The dev=
argument can also be omitted if the default drive is defined in
/etc/default/cdrecord. The -eject option
ejects the disc when the process is complete. In addition,
cdrecord displays a nine-second countdown to give you an
opportunity to abort the command.

If the system is relatively idle (with little or no disk activity),
it is possible to skip creating the image and
pipe the output of mkisofs directly to cdrecord:

mkisofs -r /usr/home/cforbin | cdrecord -

In this example, the contents of /usr/home/cforbin is written
to the disc (the - argument takes data from the standard input).

WARNING:
On active systems you should create an ISO image for best results.

Mounting a disc

You can mount and unmount a disc from the desktop
using the MountCD icon,
or from the command line as in these examples using
/mnt as a mount point:

mount -r /dev/cd0 /mnt
umount /mnt

Media support

cdrecord supports the following drive types/media:

Media Type

Read-Write Behavior

CD-R

Existing data cannot be erased or overwritten

Additional sessions can be appended

CD-RW

Entire disc can be erased/blanked

Explicit erasing/blanking required before rewrite

Additional sessions can be appended

Multisession support

To create multisession disks, you must use the -multi
option to leave the CD open (un-fixated) for writing additional sessions:

cdrecord -multi image.iso

To finalize a CD (making it non-writable),
simply omit the -multi option.

Writing a new session on a CD normally hides the previous
session from view (requiring an application that allows you
to select the active session). However, it is
possible to import the TOC (table of contents)
from the previous session and make
the previously-written data available in the
ISO image for the new session.

In this example, mkisofs uses the -C option to execute
the cdrecord -msinfo command on the specified drive
(-M 0,0) to read the location of the previous session
and uses the response to create the ISO image:

When cdrecord is used to write the image to CD,
all the previous data will be accessible along with the new files
(in this example, from /usr/home/colossus).

Multisession support: mount(ADM)

The
mount(ADM)
command now includes options to mount CD filesystems
by session or sector. See the
mount(ADM)
manual page for details.

By default, the
mount(ADM)
command mounts the last session.
To override the default and
mount the first session, use the syntax in this example:

mount -o session=1 /dev/cd0 /mnt

At this time, only the first and last sessions can be mounted
by session number. However, the sector
option can be used to mount an arbitrary session by the starting sector
number. On newer drives, you can use the -toc option of the
cdrecord(1)
command to obtain the starting sector:

You can use the lba output to mount the desired sector. In this example,
the command mounts session 2, which starts at sector 20235:

mount -o sector=20235 /dev/cd0 /mnt

NOTE:
If you used
cdrecord(1)
when it was provided on the Skunkware CD (and multisession
CD read support was not present in SCO OpenServer Release 5.0.7), note that the
the last session is now mounted by default.
Multisession CDs typically include
files from previous sessions by reference, so this should yield
a better view of the contents of the disc.

Additions to Internet Services: Tomcat and JK

Maintenance Pack 3 includes the following
additions to Internet Services:

Apache Tomcat Servlet Container 4.1.29: an open source package that
provides a container for
JavaServer Pages(TM) and Java(TM) Servlets. Requires the
Java 2 JRE and Java SDK (1.3.1 or 1.4.2).

JK: a plugin that replaces mod_jserv and handles the
communication between Tomcat and Apache.

You can change these entries to include the desired web login,
password, and the role to which you want them assigned. (Do not
confuse these "web" logins that are used to access the
administrative web application with operating system system logins.)
The admin and manager
roles/logins allow someone with the proper password to
run the admin and manager web applications.
For example, the following entries create admin and
manager web logins
with tomcat as the password:

Tomcat web application Java exception error

If you log into the Tomcat Application Manager, stop an Application,
restart it, then proceed to the application path and then use the
Back button to return to the Tomcat Web Application Manager,
the following error may be displayed in the Messages box
of the Tomcat Application Manager:

FAIL - Application at context path /tomcat-docs could not be started
FAIL - Encountered exceptionjava.lang.IllegalStateException:
standardHost.start /tomcat-docs: LifecycleException: Container
StandardContext[/tomcat-docs] has already been started

This is not a fatal error and is not unique to SCO OpenServer Release 5.0.7 systems.
The workaround is to use reload instead of stop or start.

X.Org runtime libraries

The X.Org X11 Release 6.7 runtime libraries, header files, and core fonts
are now included and
supported by SCO in SCO OpenServer Release 5.0.7. The man pages for the X.Org
routines are also installed on the system, but are not included in the
MANPATH
environment variable. (This is done to avoid collision with the
existing X11R5 man pages.) If you wish to access the X.Org man
pages in preference to X11R5, insert
/usr/X11R6/man into your MANPATH
variable (or the system-wide setting in /etc/default/man)
before the /usr/man entry, as in this example:

MANPATH=scohelp:/usr/X11R6/man:/usr/man:/usr/gnu/man:/usr/local/man

If you add the X11R6 path to /etc/default/man,
you should also update the man page database by executing
the following command as root:

/usr/man/bin/makewhatis /usr/X11R6/man/*

Updates to Mozilla web browser and new plugins

Maintenance Pack 3 includes Mozilla 1.6 and the following new plugins:

Plugger 5.0

supports the display of media files within the browser.
You must install a player that supports the desired media;
these are available in the Skunkware package on the
SCO website.

Xpdf 3.0

plugin that allows PDF files to be displayed inside the browser.

In addition, Mozilla 1.6 is pre-configured to work with the
Java Plugin provided on the SCO OpenServer Release 5.0.7 Supplement CD Version 3.

Mozilla and the XSENDER command

This release of Mozilla is configured to disable mail authentication
via the XSENDER command. If your POP server supports the XSENDER
command and you wish to enable this feature, either edit the system-wide
preferences in /usr/lib/mozilla-1.6/defaults/pref/mailnews.js
and set the auth_login preferences to true,
or add such entries to your individual
Mozilla preferences as described at the following URL:

http://www.mozilla.org/unix/customizing.html#prefs

Updates to UDK compatibility libraries

Maintenance Pack 3 includes an update to
8.0.2 of the UDK compatibility libraries,
which contains numerous fixes to the runtime libraries and
provides support for user-level threads for UDK
applications.

Updates to the Supplemental Graphics, Web, and X11 Libraries

The following changes are included with Maintenance Pack 3
in the Supplemental Graphics, Web, and X11 Libraries:

Everything compiled to use X11R6 libraries and headers

libmng updated to version 1.0.7

Xaw3D updated to version 1.5E

JasPer updated to 1.701.0

OpenSLP updated to 1.2.0

libART-LGPL 2.3.16 added

trio 1.10 added

popt 1.7 added

libgsf 1.8.2 added

libcroco 0.5.0 added

libwmf 0.2.8.2 added

librsvg 2.7.1 added

libexif 0.5.12 added

libexif-gtk 0.3.3 added

libgtkhtml-2 2.6.0 added

ICU updated to 2.8

Xerces updated to version 2.5.0

Xalan updated to version 1.7.0

cURL updated to version 7.11.1

Cyrus SASL updated to version 2.1.18

FreeType2 updated to version 2.1.8

LCMS updated to version 1.12

libIDL updated to version 0.8.3

TIFF library updated to 3.6.1

libxml2 updated to version 2.6.9

libxslt updated to version 1.1.6

gdome updated to 0.8.1

XMLSEC updated to version 1.2.5

NetPBM updated to version 10.20

BerkeleyDB updated to version 4.2.52 + patches

OpenLDAP updated to version 2.2.9

OpenSSL 0.9.6 updated to version 0.9.6m

OpenSSL 0.9.7 updated to version 0.9.7d

PCRE updated to version 4.5

ZLIB updated to version 1.2.1

Sablotron updated to 1.0.1

giflib updated to ungif 4.1.0

GD2 updated to 2.0.22

gettext updated to 0.14.1

fontconfig updated to 2.2.2

Added missing include files from freetype 1

Fixed module names and installation location for Pango

The following changes were included with Maintenance Pack 1
in the Supplemental Graphics, Web, and X11 Libraries
(previously SLS OSS631B):

added Xerces-C version 2.2.0

added Xalan-C version 1.5.0

added Sablotron version 0.98

added JavaScript version 1.5rc4 (Mozilla SpiderMonkey)

added ICU (International Components for UniCode) version 2.4

added cURL version 7.10.5

GNU gettext updated to version 0.11.5

OpenSSL updated to version 0.9.6j

Berkeley DB updated to version 4.1.25 + patch 1

JASper updated to version 1.700.2

libMNG updated to version 1.0.5

NetPBM updated to version 10.17

GTK+ 2 updated to version 2.2.2

Pango updated to version 1.2.3

ATK updated to version 1.2.4

GLIB 2 updated to version 2.2.2

SLang updated to version 1.4.9

libmm updated to version 1.3.0

libxml2 updated to version 2.5.8

libxslt updated to version 1.0.31

xmlsec updated to the official 1.0.3 version

OpenSLP updated to version 1.0.11

SASL updated to version 2.1.14

lcms updated to version 1.10

pkg-config updated to version 0.15

OpenLDAP updated to version 2.1.22

FreeType2 updated to version 2.1.4

PCRE updated to version 4.3

TIFF updated to version 3.5.7

GDOME updated to version 0.7.4

GD updated to version 2.0.15
(version 1.8.4 provided as well)

dependency errors in several configuration scripts
have been fixed

several missing include files now included

all gwxlibs libraries are compiled with -D_REENTRANT
for better interoperation with software threads libraries

several missing aclocal M4 packages now included

the library files for the SLang shell (slsh) now included

fixed the zlib gzprintf() CERT vulnerability

fixed a GDK compile error that was
preventing shared memory from being used

fixed a compilation error in libmm that was causing
multiple shared memory mechanisms to be defined

all libraries compiled with FD_SETSIZE set
to the maximum value so that these libraries can work with
systems that allow a large number of open file descriptors

Updates to Perl

The following changes are included with Maintenance Pack 3
in the Perl 5.8.4 component:

additional modules for XML support.

The following changes were included with Maintenance Pack 1
in the Perl 5.8.0 component:

ssh(1)
now uses untrusted cookies for X11-Forwarding.
Some X11 applications might need full access to the X11 server,
see ForwardX11Trusted in
ssh(1)
and
xauth(1)
for more information.

ssh(1)
now supports sending application layer
keep-alive messages to the server. See ServerAliveInterval
in
ssh(1)
for more information.

Improved
sftp(1)
batch file support.

New KerberosGetAFSToken option for
sshd(8).

Updated /etc/ssh/moduli
file and improved performance for protocol version 2.

Support for host keys in DNS
(draft-ietf-secsh-dns-xx.txt).
Please see README.dns in the source distribution for details.

Fixed a number of memory leaks.

The experimental "gssapi" support has been replaced with
the "gssapi-with-mic" to fix possible MITM attacks.
The two versions are not compatible.

NOTE:
When using
ssh(1),
the contents of the /etc/motd file are displayed
twice at login. To prevent this from occurring, edit the
/etc/ssh/sshd_config
and change the #PrintMotd yes entry to remove the comment
symbol (#) so that it reads as follows:

PrintMotd No

The /etc/ssh/sshd_config.default file installed with MP3
includes this corrected entry; if you have not customized
sshd_config, you can simply copy this file to overwrite
the old version.

Updates to the Apache Web Server

The following changes are included with Maintenance Pack 3
in the Apache Web Server component:

Apache Web Server updated to version 1.3.31

PHP updated to version 4.3.5

mod_ssl updated to version 2.8.16

AxKit updated to version 1.6.2

The following changes were included with Maintenance Pack 1
in the Apache Web Server component:

entire suite has been compiled with FD_SETSIZE set
to the maximum value to work with
systems that allow a large number of open file descriptors.
(This allows more than 256 Apache servers to run simultaneously.)

Updates to MMDF

The following sections detail various updates and fixes made to MMDF.

Security fixes

Various buffer overflows, null dereferences, and core dumps that affect
all MMDF binaries have been corrected.
All but one of the MMDF binaries that were setuid root
are no longer (they have
been improved to make this unnecessary), reducing the potential for further
exploitation. The local channel delivery program is still setuid root because
it must deliver mail into users' mailboxes and run processes with users'
UIDs.

Improvements to mmdftailor(F)

Three new MMDF general configuration parameters can be set in
/usr/mmdf/mmdftailor: ORPHANAGE, DEADLETTER,
and TAGCHARS. See
mmdftailor(F)
for more information.

Improvements to submit(ADM)

Messages can now be submitted with a null return address in protocol mode.
Formerly, a null address for either the return address or a recipient
address resulted in the silent termination of address-list processing.
Address-list parsing is now terminated only by a !,
as per the submit specification.

Messages with a null return address that bounce are discarded instead of being
sent to the orphanage.

When messages are submitted with the do-not-return (q)
option, a return address
is no longer passed to remote hosts, preventing bounce messages from being
generated.

relay authorization now correctly interprets aliases
that point offsite,
include the addresses of users who have a .forward
file that points offsite, as still being local addresses.

There is now a "magic" address (@@)
which is like any other bad address
except that if it occurs in a .forward
file or alias no complaint to
supportaddr is issued.
This can be used to prevent mail from being accepted
for certain users, similar to aliasing such users to a nonexistent address but
without the notification that is generated every time a true bad address is
referenced.
An alias to @@ can itself be used in
aliases without generating warning mail,
so that an alias like this can be set up:

@@: nosuchuser

Then the less cryptic address nosuchuser
can be used in aliases and .forward files.

Formerly, if -t ("trust me") was given to
submit but the user was not a trusted
user, a Source-Info line was added. Now in that case a Source-Info line is
added only if the user is not who they claim to be in the most authoritative
From/Sender field. For the purpose of this test, a plain Sender is taken to be
more authoritative than a plain From. If a Resent-, Remailed-, or
Redistributed- version of either a From or Sender field is given, it is taken
to be more authoritative than the plain version of either. All such Re*
headers are taken to be equally authoritative, and the last one seen in the
header (the one furthest down in the header) is taken to be most authoritative.
To determine if the user is who they claim to be, the local-address part of the
most authoritative sender is looked up in the password file to map
it to a UID, and that UID
is compared to the invoking UID. If the UIDs match and
the hostname part of the address is a name for the local system, the user is
who they claim to be.

A new parameter, S, indicates to use a Sender: field instead
of a Source-Info: field, and also causes conflicting Sender: fields in the
submitted header to be elided.

Both lower and upper case characters are now used in queue file names and
message-IDs.
This allows up to 2704 messages to be queued by a single instance
of submit. submit will refuse to accept further messages after that point.
submit previously would use only lower case letters, and would
use non-ASCII characters after those ran out.

Improvements to the local delivery channel: maildelivery(F)

Messages piped into processes via pipe aliases or the "Pipe"
action in a user's .maildelivery
file are now prefixed with a "From" header. This is important
for various mail-processing applications, like procmail,
elm's filter, and mailman.
Any workarounds (like preline) that add a pseudo-"From "
line should be removed.

Variables (like $(address), $(sender), and
$(reply-to)) used in .maildelivery
Pipe actions that expand to nothing are now replaced with an empty argument
instead of being elided.

Improvements to the smtp channel

The following changes have been made to the smtp channel and are
documented in the newly added
smtp(ADM)
and
smtpd(ADM)
manual pages:

Interpretation of SMTP response codes is now compliant with
RFC1123.
All 5xx codes are taken to be indications of permanent failure.
Failure codes in the initial greeting message and in the response to
a HELO are recognized.

The port number given for smtp in /etc/services
will be used. The default is 25.

Two new timing parameters control the behavior of the smtp channel when
connecting to a remote SMTP server to deliver an outbound message:

open_timeout

220_timeout

See the
smtp(ADM)
manual page for more information.

Per RFC2505, the SMTP channel can
be configured to reject messages with a
return address (envelope sender) that contains a domain name that does not
resolve in a manner that would allow mail to be sent to it, meaning that the
message could not be bounced if necessary.
This is done with the
vrfy_sender_domain confstr parameter.

A colon-separated list of hostnames/addresses that should be treated as though
they do not actually exist can be given with the
no_such_domain_hosts confstr
parameter. This is used in conjunction with the
vrfy_sender_domain parameter.
See the new
smtpd(ADM)
manual page for more information.

Improvements to the badusers channel

The badusers channel is intended to
map usernames on the local host to the
same usernames on a different host. It intentionally strips the hostname from
the recipient address when it does this mapping so that the destination host
will treat the recipients as local users. However, it is now common for mail
systems to be configured to refuse to accept a recipient address that contains
only a user name. If the badusers channel is used to forward mail to a host
that is not under the control of the same administrator (for example, a host
that is doing virtual mail hosting), this may present a problem.
To resolve this, the badusers channel has two new confstr parameters,
keepdomain and defdomain. Refer to
submit(ADM)
for more information.

Improvements to the uucp channel: rmail(ADM)

rmail(ADM)
is now executable by group uucp,
and not other, to prevent the authority
of the UUCP system to inject messages
with any sender name from being used by
local users. It is possible that some extremely old software expects to be
able to use rmail to inject messages locally. If this is the case, change the
mode of /usr/bin/rmail to allow others to execute it:

chmod o+x /usr/bin/rmail

Improvements to cleanque(ADM)

cleanque(ADM)
no longer sends warnings about messages that were queued with the
no-return flag. cleanque also has a new command line
option (-t)
that displays the actions it would take on queued messages without
actually doing anything.

Various buffer overflows and other security issues were fixed in MMDF.
fz528322 / erg712434 / SCOSA-2004.7

pmwm and
mwm(XC)
were fixed to allow the key binding for <Ctrl>-<Alt>-<Shift>-1
to be changed or disabled.
fz528631 / erg712515

A system hang was fixed. It was caused by strd looping and trying to
allocate memory for message headers when the mblock table was full.
fz527661 / erg712281

A number of security issues were fixed in Mozilla.
fz528708 / erg712531 / SCOSA-2004.8

getty(M)
now includes a -r option
that prevents it from dropping DTR and
resetting the termio modes at startup. This was the default behavior in
OpenServer 5.0.6 but it was changed in OSR5.0.6a. The -r
option can be used
to revert to the OpenServer 5.0.6 behavior. Some third-party applications
wait for incoming calls, initialize the termio parameters, and then invoke
getty to initiate a login session. In this case, to avoid dropping connections
when getty is invoked, the -r
option should be used by editing both /etc/inittab
and the appropriate file under /etc/conf/init.d
(for standard serial ports,
this would be /etc/conf/init.d/sio)
and adding the -r option to the getty
lines that should have their behavior modified.
fz527207 / erg712222

A problem that prevented kernel builds from succeeding
if $ROOT was longer than 60 characters has been fixed.

The licensing system has been corrected so that
the
brand(ADM)
command now recognizes pre-Release 5.0.7 User and CPU licenses.
In addition, the Licensing Policy Manager Daemon (sco_pmd)
has been fixed so that system restores now correctly restore
the SCO System ID.
This fix makes the OSS646 supplement obsolete
and unnecessary.
fz527794

A panic was corrected in the HTFS filesystem driver.
This panic sometimes occurred when mounting an AFS,
EAFS, or HTFS filesystem
with less than 42Kbytes of free space.
fz527790

A problem on USB keyboards
where typed characters sometimes repeated
has been fixed. This problem tended
to occur on IBM® Blade servers
with a built-in AT-to-USB keyboard adapter.
fz527743

Fixed a null dereferencing problem in MMDF.
fz527660

Changed MMDF format specs so that the
date registered in email headers is padded
with a leading zero if the message is
sent in a single-digit hour (between 1:00 and 9:00).
This addresses the problem of some anti-spam applications
assigning high spam scores to messages simply because the format
of the hour in the date header does not match the applications'
good-date-header test, which expects hours to be represented
in double-digits.

Fixed a security vulnerability in the sendmail binary
that could be exploited by remote users to gain root access.
fz527482/erg712245/CSAA-2003-SCO.6

The
chmod(C)
command was modified so it does not apply changes
to files if permissions are already correct.
This modification may significantly improve performance,
especially over an NFS mount, of commands like:

chmod -R +r /data

The
crontab(C)
command has been corrected to always exit with an error status
if it fails, or zero (no error) status if it succeeds.
fz300043

A problem was corrected which caused
uudecode(C)
to dump core when decoding from standard input.
fz527731

A buffer overflow in the wordwrap() function in
releases of PHP previous to version 4.3.0
and later than version 4.1.2 has been fixed. Under
certain circumstances, this buffer overflow created
a security vulnerability.
fz527514 / erg712258

Fixed a security vulnerability where a TCP/IP
socket could become permanently stuck in a SYN_SENT
state, thereby making the system vulnerable to a denial-of-service
attack.
fz526775 / erg712173 / erg711405

The problem of data transfers not always working if
the FTP daemon was configured in /etc/services
to run on a non-standard port or if the daemon was
invoked with the -P argument has been fixed.
fz527753

The
telnetd(ADMN)
command now has a -r
option to specify which pseudo-terminals (ptys) to use,
which is useful in the following situations:

Restrict telnetd to using ptys in a given range,
so that other ptys can be dedicated to other functions.

Assign a telnetd that is bound to a particular
non-standard port a specific pty so that a login
on that port will always get the same pty name (as required
by some older applications created when hard-wired serial
terminals were the norm).

A buffer overflow in BIND that could
lead to security vulnerabilities has been fixed.
fz526617 / erg712158 / CSSA-2003-SCO.17 / CAN-2002-1219

Fixed some minor problems in the
PPP Connection Wizard interface.

Fixed an SMP problem where PCI interrupt sharing
was broken when one or more of the drivers sharing
an interrupt was able to handle the interrupt
on any processor. Symptoms of this problem
included spurious and lost interrupts.
fz526928

Fixed a panic that occurred when booting a system with
SMP installed. The panic occurred most
commonly in kmem_alloc() while
the /etc/sysdump -qi /dev/swap -o /dev/swap command
was running in a different process. Typically, this
problem was encountered on systems with large swap areas
(around 2.5GB) and the
usb_ohci driver enabled.
fz527402

Fixed a problem that caused
the Mylex/BusLogic blc SCSI HBA driver
to fail when booting with SMP installed.
The error message produced in this situation was:

WARNING: apic - no BIOS information found for irq IRQ_NUM

Fixed a number of bugs in SCO OpenServer Development System
header files and tools.
fz527564 / fz527644 / fz527678

The C Compilation Subsystem (CCS) has been updated
to be more strictly gABI compliant.
This includes changes to the assemblers, link editors,
and startup files to support
the special .init_array and .fini_array
sections in ELF programs
that certain third-party C++ compilers use.
fz527038 / fz527718

Maintenance Pack notes and limitations

The following notes and limitations apply
to the SCO OpenServer Release 5.0.7 Maintenance Pack 3:

On SCO OpenServer Release 5.0.7 Host systems where networking is only configured for
loopback (or network configuration is deferred at installation), the
Apache webserver fails to start. (Docview does start and appears
to be running.)

After installing SCO OpenServer Release 5.0.7 Maintenance Pack 3, you
may need to update a few configuration files that are part of
the GIMP Toolkit (GTK+) and necessary for operation of Mozilla.
Some of the path names in the
default configuration have changed, but the upgrade process does not
modify these files automatically because you may have customized them for
your own purposes.

Each file has a default file in the same directory. For most sites, you can
simply copy the new default file to the data file. If you have loaded extra objects into
these data directories, you may need to run a special command to produce
the correct configuration file. The files affected are:

/etc/pango/pango.modules

To regenerate this file if you have added extra modules, use the
command pango-querymodules after the upgrade and redirect the output
of that program to this file. If you have not added any Pango modules,
simply execute:

cp pango.modules.default pango.modules

/etc/gtk-2.0/gtk.immodules

Regenerate this file using the command gtk-query-immodules-2.0, or
copy the default using the command:

cp gtk.immodules.default gtk.immodules

/etc/gtk-2.0/gdk-pixbuf.loaders

Regenerate this file using the command gdk-pixbuf-query-loaders,
or copy the default file using the command:

cp gdk-pixbuf.loaders.default gdk-pixbuf.loaders

/etc/pango/pango.aliases

If you have made changes,
you may need to examine the new default file to
see if there are specific changes you want to
merge into your configuration file; otherwise
copy the default file using the command:

cp pango.aliases.default pango.aliases

/etc/pango/pangorc

If you have made changes,
you may need to examine the new default file to
see if there are specific changes you want to
merge into your configuration file; otherwise
copy the default file using the command:

cp pangorc.default pangorc

/etc/pango/pangox.aliases

If you have made changes,
you may need to examine the new default file to
see if there are specific changes you want to
merge into your configuration file; otherwise
copy the default file using the command:

cp pangox.aliases.default pangox.aliases

/usr/lib/php.ini

This file also has an updated default
file named /usr/lib/php.ini-dist. If you
are not an SCO Update Service customer and you copy
the updated file over the existing php.ini
file, please note that PHP will fail to load unless
you comment out the PostgreSQL module. This can be
found on line 552 of the default file:

extension=libpgsql.so

To comment out this entry, simply insert a semicolon (;)
at the beginning of the line.

Previously, the icons in /usr/lib/apache/icons
did not display in Apache because the icon directory and files
are symbolic links. This also prevented test scripts located in
/usr/lib/apache/cgi-bin from running properly.
To correct these problems, the FollowSymLinks
option has been added to the /usr/lib/apache/conf/httpd.conf.default
file. If no modifications were made to the original file,
you can copy the default file to /usr/lib/apache/conf/httpd.conf.
If you have customized the
httpd.conf file, you must
incorporate the change manually, as shown here:

You will not be able to use the SCO Update
feature in the Software Manager
if you are behind a firewall that prevents
incoming FTP connections (i.e.,
the use of passive FTP is required).
If you try to connect to the
SCO Update server in this situation,
the Software Manager displays
the following timeout message after a few minutes:

Unable to initialize device

A fix for this problem will be made available
in a future supplement or release.

If you did not install MP1 and you completed a backup of your system prior
to installing Maintenance Pack 3 or
the SCO OpenServer Release 5.0.7 Licensing Update (SLS OSS656B),
you should refresh the backup after you
complete the installation of Maintenance Pack 3.

If you need to restore a system using a backup that was created
prior to the installation of Maintenance Packs 1, 3, or OSS656B,
the Licensing Policy Manager Daemon (sco_pmd) may not start.
If you experience this, log in as root, put the
system in single-user mode, and run the following:

brand -B oyrarg

Afterwards, reboot your system; the sco_pmd daemon
will now be able to start.

If you encounter a situation where you need to
stop the Licensing Policy Manager Daemon (sco_pmd) --
for example, you are migrating a system on the network to
new hardware and you start receiving duplicate license violations --
be sure to use the following command for an orderly shutdown:

sco_pmd -s

For more information on sco_pmd,
including how to start and stop the daemon,
see the
sco_pmd(ADM)
manual page.

Several tunable parameters for the System V Inter Process Communications (IPC)
shared memory and semaphore facilities have been updated. The default
settings were raised to values which should accommodate most commercial and
open source databases without additional tuning. The maximum
values of several parameters were also raised. The changes increase kernel
memory usage by approximately 33K.

Installation of this Maintenance Pack raises the default and maximum values
of these parameters as follows:

Parameter name

Previous default

Previous maximum

New default

New maximum

SEMMAP

10

-

256

-

SEMMNI

10

-

384

-

SEMMNS

60

-

512

-

SEMMNU

30

100

150

8192

SEMMSL

25

-

50

-

SEMOPM

-

10

-

1024

SEMUME

-

10

-

25

SHMMAX

524288

-

10485760

-

SHMMNI

100

-

200

-

Individual parameters that have already been set higher than these
values are not changed.